Locari is built so you, as a landlord, can comply with GDPR without being a data protection expert. Consent, data minimization, and data subject rights are integrated directly into the rental workflow.
What Locari does automatically: send consent emails (Art. 7), provide data protection notices at first contact (Art. 13), only request sensitive criteria in the appropriate phase, delete applicant data automatically after completion. What you decide: whether to withdraw a consent manually, whether to delete applicant data early, which privacy policy is linked in the application form.
Common Tasks
- Look up the legal basis for my processing
- Understand data minimization under the three-phase model
- Fulfill a data subject right — access, deletion, rectification
- Understand retention and automatic deletion
- Understand the data processing relationship
- Pre-launch checklist
How To
Handle a deletion request (Art. 17)
- Applicant requests deletion via the withdrawal link or in writing.
- Is the process still active? Then inform the applicant first — they can withdraw their application themselves at any time via the withdrawal link.
- After completion: remove via Delete data in the rental case > Consents tab. Deletion runs immediately and completely.
What happens on withdrawal: the applicant clicks the withdrawal link — Locari then deletes all applicant data automatically and sends a confirmation email. What you decide: whether to proactively remove an applicant via Delete data before they withdraw themselves.
Legal Bases
Locari supports the GDPR legal bases relevant to the rental process:
- Art. 6(1)(f) — Legitimate interest: first contact and communication as part of viewing interest (Phase A).
- Art. 6(1)(b) — Pre-contractual measures: reviewing a potential tenant selection and preparing the lease (Phases B and C).
- Art. 6(1)(a) — Consent / Art. 22 — Automated decision-making: for AI-assisted profile evaluation, Locari obtains the applicant's explicit consent before any evaluation.
Three-Phase Model
The German data protection authorities (DSK) set out a three-phase model for requesting data from prospective tenants in their guidance of 24 Jan 2024. Core principle: data minimization per phase — you only request what the current phase requires.
- Phase A — Viewing interest: name, email, phone, rough household size only.
- Phase B — Rental interest (after viewing): plus occupation, rough income (self-declaration), pets, freedom from rent debt.
- Phase C — Shortlist: plus income proof (3 months), credit report (SCHUFA), redacted ID copy.
Locari applies this in your listing's criteria selection: sensitive criteria are assigned a minimum phase, and Locari warns you if you would request Phase C data too early. More under Applicant Criteria.
Data Subject Rights
Right of Access (Art. 15) and Data Portability (Art. 20)
If an applicant asks what data is stored, you, as the controller, provide the information. All applicant data is held in a structured form in the applicant profile.
Right to Rectification (Art. 16)
Correct incorrect data directly in the applicant profile; the change is documented in the history.
Right to Erasure (Art. 17)
After the process ends, applicant data is deleted automatically once the retention period expires. On request, delete immediately via Delete data in the rental case.
Right to Withdraw and Object (Art. 7(3) / Art. 21)
The withdrawal link in every consent email is permanently valid and never expires — Locari implements a withdrawal immediately and deletes the applicant data.
Retention Periods
During the Process
Applicant data is stored while the process is active.
After Completion
Once a rental case is completed, Locari schedules automatic deletion of the applicant data after 180 days (evidence preservation under German anti-discrimination law, AGG). This period is fixed; you don't configure anything.
On Withdrawal, Decline, or Expiry
If an applicant withdraws, declines, or does not respond (expiry after 10 days), Locari deletes the applicant data immediately. More under Data Deletion.
Separately, you as a landlord may be subject to your own statutory retention obligations (e.g. tax or commercial law for contract documents). Those concern the signed lease, not the application data of rejected prospects.
Technical Measures
Encryption and Servers
- Encrypted connections (TLS) and encrypted storage
- Server location EU (Stockholm) — no data transfer outside the EU
Access
- Access only for the members of your workspace
- Transparent email confirmation when logging in from a new device (one code by email, no extra setup)
Data Processing Agreement
For processing applicant data, Locari (Ametis Digital GmbH) acts as a data processor (Art. 28 GDPR) — you, as the landlord, remain the controller.
If you choose your own privacy policy (URL or PDF) for the listing instead of the Locari template, Locari shows a ready-made data-processing clause in the Consents tab that you can copy with one click and include in your own policy.
Checklist for Landlords
- [ ] Privacy policy chosen for your listing (Locari template or your own URL/PDF)
- [ ] If using your own policy: data-processing clause included
- [ ] Applicant criteria configured per the three-phase model (no Phase C data too early)
- [ ] Team informed about the data protection workflow